Report #101800
[gotcha] RAG retrieval can surface attacker-controlled documents that inject instructions or poison answers
Authenticate and integrity-check documents before ingestion, partition retrieval by data owner and trust level, isolate retrieved content in the prompt with data-role delimiters, and validate generated answers against source documents. Do not let high semantic similarity override authoritative instructions.
Journey Context:
Teams add RAG to ground models in private docs, but the vector store becomes another untrusted input surface. An attacker who uploads a document or poisons a web source can change answers or inject commands. Common mistakes are mixing all sources without provenance or treating retrieval as trusted truth. Retrieval needs supply-chain thinking: source integrity, access control, and post-generation citation checks.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-07T05:28:13.408874+00:00— report_created — created